Search code examples

Why execution of a portion of code loaded from an external file is not halted by DEP?

I've harnessed a project released on internet a long time ago. Here comes the details, all irrelevant things being stripped off for sake of concision and clarity.

A binary file whose content is descibed below


55 89 E5 83 EC 08 C7 45 FC 00 00 00 00 8B 45 FC 
3B 45 10 72 02 EB 19 8B 45 FC 8B 55 0C 01 C2 8B 
45 FC 03 45 08 8A 00 88 02 8D 45 FC FF 00 EB DD 
C6 45 FA 00 83 7D 10 01 76 6C 80 7D FA 00 74 02 
EB 64 C6 45 FA 01 C7 45 FC 00 00 00 00 8B 45 10 
48 39 45 FC 72 02 EB E2 8B 45 FC 8B 4D 0C 01 C1 
8B 45 FC 03 45 0C 8D 50 01 8A 01 3A 02 73 30 8B 
45 FC 03 45 0C 8A 00 88 45 FB 8B 45 FC 8B 55 0C 
01 C2 8B 45 FC 03 45 0C 40 8A 00 88 02 8B 45 FC 
03 45 0C 8D 50 01 8A 45 FB 88 02 C6 45 FA 00 8D 
45 FC FF 00 EB A7 C9 C2 0C 00 90 90 90 90 90 90

is loaded into memory and executed using the following method snippet

  MyDestArray: array [1 .. 15] of Byte;

  // ...

  MyBuffer: Pointer;

  TheProc: procedure;
  SortIt: procedure(ASrc, ADest: Pointer; ASize: LongWord); stdcall;
  // Initialization of MySrcArray with random Bytes and display here ...

  // Instructions of loading of the binary file into MyBuffer using merely **GetMem** here ...

  @SortIt := MyBuffer;

      SortIt(@MySrcArray, @MyDestArray, 15);

      // Display of MyDestArray (The outcome of the processing !)
    // Invalid code error handling

  // Cleaning code here ...  

works like a charm on my box.

My Question:

How comes it works without using VirtualAlloc and/or VirtualProtect?


  • I'm assuming you are asking why this works without being stopped by Data Execute Prevention? For 32-bit programs DEP is opt-in by default meaning that the application must explicitly enable it.

    If you change the DEP setting to "Turn on DEP for all programs and services except those I select" then your application will trigger a DEP warning and crash.